HP 6125G HP Networking guide to hardening Comware-based devices - Page 4

# Configure the password of the local user in interactive mode. [Sysname-luser-test] password Password Confirm Updating user(s) information, please wait........ [Sysname-luser-test] quit Disable unused services As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use User Datagram Protocol (UDP), are infrequently used for legitimate purposes, but can be used to launch DoS and other attacks that can otherwise be prevented by packet filtering. Following is a list of additional services that must be disabled if not in use: • Issue the undo dhcp enable command in system view to disable DHCP. • Issue the undo dns resolve command in system view to disable DNS. • Issue the undo x25 switching command in system view to disable X.25 switching function. • Issue the undo ip http enable command in system view to disable HTTP server. • Issue the undo ip https enable command in system view to disable HTTPS server. Neighbor Discovery Protocol (NDP) is used to discover other NDP-enabled devices for neighbor adjacency and network topology. NDP can be used by HGMP to manage a cluster. NDP must be disabled on all interfaces that are connected to untrusted networks. This is accomplished by issuing the undo ndp enable command in interface view. Alternatively, NDP can be disabled globally with the undo ndp enable command in system view or on interfaces by specifying an interface list in system view. Note that NDP can be used by a malicious user for reconnaissance and network mapping. Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to NDP; however, this protocol allows interoperability between other devices that do not support NDP. LLDP must be treated in the same manner as NDP and disabled on all interfaces that connect to untrusted networks. To accomplish this, issue the undo lldp enable command in interface view. To disable LLDP globally, issue the undo lldp enable command in system view. LLDP can also be used by a malicious user for reconnaissance and network mapping. EXEC timeout To set the interval so that the command interpreter waits for user input before it terminates a session, issue the idle-timeout command in interface view. The idle-timeout command must be used to log out sessions on a virtual type terminal (VTY) or true type terminal (TTY) interface that is left idle. By default, sessions are disconnected after 10 minutes of inactivity. # user-interface con 0 idle-timeout 2 0 user-interface aux 0 idle-timeout 2 0 user-interface vty 0 4 idle-timeout 2 0 # Using management interfaces A device's management plane is accessed in band or out of band on a physical or logical management interface. Ideally, both in-band and out-of-band management access exist for each network device so that the management plane can be accessed during network outages. One of the most common interfaces that are used for in-band device access is the logical loopback interface. Loopback interfaces are always up, whereas physical interfaces can change state and potentially be inaccessible. It is recommended that you add a loopback interface to each device as a management interface and that it be used 4